Removal of CAs from Federal PKI

Publish Date: March 5, 2019

Federal PKI teams performed two actions to remove fifty-nine (59) certification authorities (CAs) related to health IT use cases from the Federal PKI trust framework. This change is related to efforts to assess and maintain the mission scope for Federal PKI and reduce burden for commercial and non-profit organizations. This change is not a distrust action.

This announcement provides details related to the CAs affected by this change.

What was the change?

The issuance of the new cross-certificate was to ensure operations for three (3) electronic prescriptions for controlled substance (EPCS) systems were not immediately impacted by the planned revocation of the Federal Bridge CA 2016 / DigiCert Federated ID CA-1 cross-certificate.

What should I do?

A majority of mission operational use cases will never encounter certificates issued from these CAs. Certificates from these CAs are primarily used for nationwide healthcare information systems and electronic health records.

You can remove these CAs from trust list configurations used for the following purposes:

Note: Federal Bridge CA 2016 issued a cross certificate to the DigiCert Federated ID L3 CA on February 28, 2019. This will ensure operations for three (3) Electronic Prescriptions for Controlled Substance (EPCS) customers are not immediately impacted while we continue to review these systems and the use case.